Its a bit big and last Apache series post. In this we will see how to secure a website with Active directory integration for user logins and a self signed certificate for encrypting login details, subsequent session.
To accomplish this we divide our task in to sub tasks.
Subtask1 : Creation of sub-domain on DNS server, website directory creation on our Apache server and index.html file.
Subtask2 : Creating ssl certificate.
Subtask3 : Creating Ad account on AD server which will act as default account which will query/authenticate user’s who are logging in to our portal by using AD authentication.
Subtask4 : Configuring AD, ssl on our Apache server.
Step1 : Check if the Apache package is installed or not. If it’s not installed, install it.
#rpm -qa | grep httpd
#yum install httpd
#yum install openssl
Step2 : Create DNS CNAME entry for this virtual host as adssl.linuxnix.com which should point to our server name server.linuxnix.com
Step3 : Create a home directory for our virtual host and index.html file
Write something to this file then save and exit.
Step4 : Create ssl self-signed certificate for our site.
What is self-signed certificate?
Ans : An self-signed certificate, created locally at the server where the web site with SSL services support are to be implemented, are locally generated certificates when web site or server owner either don’t plan on having certificate signed by a CA, or the certificate is for testing of new SSL implementation.
This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted because it’s not signed by any known trusted CA authority.
To generate a self-signed certificate we have to generate two things.
1. A private key which will be with server.
2. CSR (Certificate Signing Request) which is used to generate self-signed certificate.
Step4(a) : Generate a private key. Please keep this key in /etc/httpd/conf/sslcrt
Note : We can create this certificate key in any location but /etc/httpd/conf/sslcrt is good to remember .
#openssl genrsa -des3 -out server.key 1024
Once we execute above command it will prompt for a new password as shown below
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for server.key :
Verifying – Enter pass phrase for server.key :
Just enter server key which is a password. So remember this word.
Let me explain the command
openssl is the command to generate SSL certificate
genrsa is to indicate generate a RSA key called server.key with des3 encryption with 1024 key lenght.
To see the files create just give ls to check.
Step4(b) : Now Generate a CSR (Certificate Signing Request)
#openssl req -new -key server.key -out server.csr
When you execute this command you will be prompted for number inputs as shown below.
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Andhra Pradesh
Locality Name (eg, city) [Newbury]:Hyderabad
Organization Name (eg, company) [My Company Ltd]:The Linux juggernaut Ltd.
Organizational Unit Name (eg, section) :IT Support Group
Common Name (eg, your name or your server’s hostname) :Surendra kumar Anne
Email Address :[email protected]
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password :
An optional company name :
These are self learn entries. So you can give your own details. Just press enter at “A challenge password” and “An optional company name” Don’t write anything for this two entries.
To see the files which you have created just give ls to check.
Step4(c) : Remove Passphrase from Key. Which not at all required and when ever Apache service is restarted your system will ask for this pass phrase. In order to eliminate some one to sit in front of the system to enter the pass-phrase after a reboot or restart service or a crash we have to remove the pass-phrase as shown below.
#cp server.key server.key.org
#openssl rsa -in server.key.org -out server.key
This will ask the pass-phrase for the last time. Just enter the pass-phrase which you given.
Step4(d) : Now it’s time to generate a self-signed certificate.
#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Once you execute above command you will get output as shown below
subject=/C=IN/ST=Andhra Pradesh/L=Hyderabad/O=The Linux juggernaut Ltd./OU=IT Support Group/CN=Surendra kumar Anne/[email protected]
Getting Private key
Step5: Create a normal AD account on your Domain controlar and assign a complex password for that one.
Step5 : Configure virtual host now in our httpd.conf file which is located at /etc/httpd/conf/
Step5(a): Specify NameVirtualHost
NameVirtual Host server.linuxnix.com
Step5(b) : Specify ServerName as server.linuxnix.com in httpd.conf file
Step5(c) : Now go to last line of the httpd.conf file and give below entries.
SSLProtocol all -SSLv2
SSLCertificateKeyFile /etc/httpd/conf/sslcrt/server .key
Options Indexes FollowSymLinks MultiViews
Allow from all
AuthName “Please enter your AD credentials to access this portal”
Let me explain each entry in this virtualhost which are new.
We are mentioning to Apache that authentication is provided by LDAP ie is AD server.
Prevent other authentication modules from authenticating the user if this one fails. Here it’s off so we are allowing if ldap authentication failed, apache will try other authentications too.
This is important line. Here AuthLDAPBindDN is saying what is the connecting account(here it’s test_apache ad account) and who are going to connect(cn=Users) and to which domain they are connecting(to linuxnix.com ie dc=linuxnix,dc=com)
Note : If your domain ends with .co.in then connecting domain should be. dc=linuxnix,dc=co,dc=in
This line provide the AD password(here it is UV4Ziu6v) for the user test_apache.
So why we require this user name and password?
Ans : We require this user name and password because this test user will try to contact the AD server for authenticating AD users.
This line indicates where should my test_apache should connect to provide user authentications. This line say that connect to dc.linuxnix.com on port 3268 with dc values as linuxnix.com.
This line indicates that only valid users should be allowed to access this portal.
Note : Some times we require to give access to perticular users then you can specify ldap-user variable as shown below.
Required ldap-user surendra_anne suray_t meghana_bm
When your Apache will see above line it will allow only surendra_anne, surya_t, meghana_bm to access to this portal. And remaining AD users are denied to access this portal.
Now save and exit the file
Step6 : Check for the syntax errors in the httpd.conf file before restarting the Apache service.
#httpd -k graceful
Step7 : Now start the service and then add it to booting scripts so that it will start automatically at every boot of the system
#service httpd restart
#chkconfig httpd on
Step8 : Now try to access https://adssl.linuxnix.com you will be prompted to enter AD user-name and password.